ASA v9.0.1 and ASDM v7.0.1 released

Similar Messages

• ASA 8.4.x and ASDM 6.4x download?

  Hi,
  I search for the both files, because I want to configure one ASA with 8.2.1 and the other
  ASA with a 8.4.x image to see the differences between both versions. But I don`t have
  a account to download the ASA Image 8.4.x an the ASDM 6.4x to test it.
  Is there a chance to get those Images without a Account.
  BR
  Hans-Juergen Guenter       

  No. Downloading ASA software images requires a service contract entitlement.
  There is a lot of literature and other information available on the differences. For example:
       https://supportforums.cisco.com/community/netpro/security/firewall?view=documents
  Also be advised that ASA 9.0 was released just this week.
       https://supportforums.cisco.com/thread/2179555?tstart=0
  Hope this helps.

• ASA 5505 unable to access ASDM ( just needs some ports ope and FWDing setup)

  I was able to access the ASDM launcher in the browser yesterday   via    https://192.168.111.1/admin and I was stuck there as the browser version says that my ASA image does not work with my ASDM version...      So i tried some trouble shooting and think that i may have changed the image to an image that does not exist.     (I'm not sure where it is that I would actually place that image either)    Now i am unable to access through the browser at all.
  Anyways, I am ok with SSH/CLI and have been using my firewall in this manner.   I am walking into this companies current configuration and simply need to do the following:
  I need to OPEN ports 9000, 85, 40085, 49005 so that my mobile device can pull my security cameras in the office 
  I need to set port forwarding so that any connections that hit outside-in ip address 205.214.36.53:1610 >>> http://192.168.111.30:1610/AndroidWS/     for our new mobile CRM.
  I have been through some of your related discussions and am falling short somewhere.   Please help
  here is my "show run"  and my "dir"
  ciscoasa(config)# show run
  : Saved
  ASA Version 9.0(2)
  hostname ciscoasa
  domain-name scec.local
  enable password ol40hHpZTtZQFXMJ encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd ol40hHpZTtZQFXMJ encrypted
  names
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
   nameif INSIDE
   security-level 100
   ip address 192.168.111.1 255.255.255.0
  interface Vlan2
   nameif OUTSIDE
   security-level 0
   ip address 205.214.236.50 255.255.255.240
  boot system disk0:/asa902-k8.bin
  boot system disk0:/asa825-k8.bin
  boot system disk0:/asa831-k8.bin
  ftp mode passive
  dns domain-lookup INSIDE
  dns domain-lookup OUTSIDE
  dns server-group DefaultDNS
   name-server 192.168.111.50
   name-server 8.8.8.8
   domain-name scec.local
  object network LAN
   subnet 192.168.111.0 255.255.255.0
  object network SERVER1
   host 192.168.111.50
  object network SERVER1_PUBLIC
   host 205.214.236.51
  object network SERVER2
   host 192.168.111.20
  object network SERVER2_PUBLIC
   host 205.214.236.52
  object network SERVER3
   host 192.168.111.30
  object network SERVER3_PUBLIC
   host 205.214.236.53
  object network SERVER4
   host 192.168.111.40
  object network SERVER4_PUBLIC
   host 205.214.236.54
  object network SERVER5
   host 192.168.111.10
  object network SERVER5_PUBLIC
   host 205.214.236.55
  object-group service SERVER1_PORTS tcp
   port-object eq www
   port-object eq https
   port-object eq smtp
   port-object eq pop3
   port-object eq imap4
   port-object eq 3389
  object-group service SERVER2_PORTS tcp
   port-object eq 3389
  object-group service SERVER3_PORTS tcp
   port-object eq 3389
  object-group service SERVER4_PORTS tcp
   port-object eq 3389
  object-group service SERVER5_PORTS tcp
   port-object eq 3389
   port-object eq www
   port-object eq https
  access-list OUTSIDE_IN extended deny ip 10.0.0.0 255.0.0.0 any log
  access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any log
  access-list OUTSIDE_IN extended deny ip 192.168.0.0 255.255.0.0 any log
  access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any log
  access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.255.255.0 any log
  access-list OUTSIDE_IN extended deny ip 244.0.0.0 255.255.255.240 any log
  access-list OUTSIDE_IN extended deny ip host 255.255.255.255 any log
  access-list OUTSIDE_IN extended permit icmp any any echo-reply
  access-list OUTSIDE_IN extended permit icmp any any time-exceeded
  access-list OUTSIDE_IN extended permit icmp any any unreachable
  access-list OUTSIDE_IN extended permit tcp any object SERVER1 object-group SERVER1_PORTS
  access-list OUTSIDE_IN extended permit tcp any object SERVER2 object-group SERVER2_PORTS
  access-list OUTSIDE_IN extended permit tcp any object SERVER3 object-group SERVER3_PORTS
  access-list OUTSIDE_IN extended permit tcp any object SERVER4 object-group SERVER4_PORTS
  access-list OUTSIDE_IN extended permit tcp any object SERVER5 object-group SERVER5_PORTS
  access-list inside-out extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu INSIDE 1500
  mtu OUTSIDE 1500
  ip audit name OUTSIDE_ATTACK attack action alarm drop
  ip audit name OUTSIDE_INFO info action alarm
  ip audit name INSIDE_ATTACK attack action alarm drop reset
  ip audit name INSIDE_INFO info action alarm
  ip audit interface INSIDE INSIDE_INFO
  ip audit interface OUTSIDE OUTSIDE_INFO
  ip audit interface OUTSIDE OUTSIDE_ATTACK
  ip audit signature 2000 disable
  ip audit signature 2001 disable
  ip audit signature 2004 disable
  ip audit signature 2005 disable
  ip audit signature 6051 disable
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-509.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  nat (INSIDE,OUTSIDE) source static SERVER1 SERVER1_PUBLIC
  nat (INSIDE,OUTSIDE) source static SERVER2 SERVER2_PUBLIC
  nat (INSIDE,OUTSIDE) source static SERVER3 SERVER3_PUBLIC
  nat (INSIDE,OUTSIDE) source static SERVER4 SERVER4_PUBLIC
  nat (INSIDE,OUTSIDE) source static SERVER5 SERVER5_PUBLIC
  object network LAN
   nat (INSIDE,OUTSIDE) dynamic interface
  access-group inside-out in interface INSIDE
  access-group OUTSIDE_IN in interface OUTSIDE
  route OUTSIDE 0.0.0.0 0.0.0.0 205.214.236.49 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa authentication ssh console LOCAL
  aaa authentication enable console LOCAL
  aaa authorization exec LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 INSIDE
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 INSIDE
  ssh 0.0.0.0 0.0.0.0 OUTSIDE
  ssh timeout 5
  ssh version 2
  console timeout 0
  dhcpd option 3 ip 192.168.111.1
  dhcpd address 192.168.111.100-192.168.111.200 INSIDE
  dhcpd dns 192.168.111.50 8.8.8.8 interface INSIDE
  dhcpd enable INSIDE
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username wti password OIEBfkGT1DRShCnN encrypted privilege 15
  username admin password g/t7o/eHDKMomDrS encrypted privilege 15
  username vpnuser password 8DcFkqJ9hi39UQw. encrypted privilege 15
  username sysadmin password mi1AUI982JWkJuWt encrypted
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  call-home
   profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Cryptochecksum:6dd04d2527e7929343ebd090969e18a1
  : end
  ciscoasa(config)# dir
  Directory of disk0:/
  148    -rwx  15390720     09:08:54 Jul 31 2013  asa825-k8.bin      
  149    -rwx  27611136     09:43:48 Oct 31 2013  asa902-k8.bin
  150    -rwx  2048         00:00:00 Jan 01 1980  FSCK0000.REC
  20     drwx  2048         09:12:16 Jul 31 2013  coredumpinfo
  151    -rwx  16280544     09:14:46 Jul 31 2013  asdm-645.bin
  10     drwx  2048         09:19:42 Jul 31 2013  log
  19     drwx  2048         09:20:08 Jul 31 2013  crypto_archive
  153    -rwx  14240396     14:14:18 Jun 11 2014  asdm-631.bin
  154    -rwx  4096         00:00:00 Jan 01 1980  FSCK0001.REC
  155    -rwx  12998641     09:20:28 Jul 31 2013  csd_3.5.2008-k9.pkg
  156    drwx  2048         09:20:30 Jul 31 2013  sdesktop
  157    -rwx  6487517      09:20:32 Jul 31 2013  anyconnect-macosx-i386-2.5.2014-k9.pkg
  158    -rwx  6689498      09:20:36 Jul 31 2013  anyconnect-linux-2.5.2014-k9.pkg
  159    -rwx  4678691      09:20:38 Jul 31 2013  anyconnect-win-2.5.2014-k9.pkg
  160    -rwx  4096         00:00:00 Jan 01 1980  FSCK0002.REC
  161    -rwx  4096         00:00:00 Jan 01 1980  FSCK0003.REC
  162    -rwx  4096         00:00:00 Jan 01 1980  FSCK0004.REC
  163    -rwx  6144         00:00:00 Jan 01 1980  FSCK0005.REC
  164    -rwx  6144         00:00:00 Jan 01 1980  FSCK0006.REC
  165    -rwx  6144         00:00:00 Jan 01 1980  FSCK0007.REC
  166    -rwx  22528        00:00:00 Jan 01 1980  FSCK0008.REC
  167    -rwx  38912        00:00:00 Jan 01 1980  FSCK0009.REC
  168    -rwx  34816        00:00:00 Jan 01 1980  FSCK0010.REC
  169    -rwx  43008        00:00:00 Jan 01 1980  FSCK0011.REC
  170    -rwx  2048         00:00:00 Jan 01 1980  FSCK0012.REC
  171    -rwx  26624        00:00:00 Jan 01 1980  FSCK0013.REC
  172    -rwx  2048         00:00:00 Jan 01 1980  FSCK0014.REC
  173    -rwx  26624        00:00:00 Jan 01 1980  FSCK0015.REC
  174    -rwx  2048         00:00:00 Jan 01 1980  FSCK0016.REC
  175    -rwx  2505         09:46:08 Oct 31 2013  8_2_5_0_startup_cfg.sav
  176    -rwx  1189         09:46:12 Oct 31 2013  upgrade_startup_errors_201310310946.log
  177    -rwx  100          16:42:40 Jun 10 2014  upgrade_startup_errors_201406101642.log
  178    -rwx  100          14:52:26 Jun 11 2014  upgrade_startup_errors_201406111452.log
  127004672 bytes total (21886976 bytes free)
  Please let me know if you need any other information from me so that i can get our mobile devices to connect to the new CRM from outside the network and allow the owner access on his mobile device to the company cameras.
  ************** (NOTE: I can do both of these things currently from within the network without any issues)*************
  THANKS

  Jgreene -
  This doesn't specifically answer your question, but if you want to get ASDM functionality back you need to load a newer version onto flash memory and then point the ASA to that with the configuration command:
  asdm image disk0:/asdm-version.bin
  You are running  ASA Version 9.0(2) so you need at least version 7 of ASDM to support that.  Interestingly enough your "asdm image" statement in your config points to asdm-509.bin and you have asdm-631.bin and asdm-645.bin on flash.  None of those will work.  I suggest loading up asdm-721.bin and changing the asdm image statement accordingly.  I am pretty sure a reboot is required after that is done.
  Good Luck!
  -Jeff

• Asa 8 and asdm 6

  upgraded to 8 and asdm 6 had
  http server 444 found that I could no longer add subnet access
  http x.x.x.x mask outside without first clearing the entire config, ading http server without a port adding the access then putting the new port back on. In addition, log just show denies when attempting to access asdm from outside though I have put in http 0.0.0.0 0.0.0.0 outside just to test. Any ideas?

  It appears that with asdm 6 and asa 8 it can distinquish between asdm access and web access. I have found it works fine w/o changing the port but doesn't if the port is changed.

• Cisco ASA 5505 Ipsec VPN and random connection dropping issues.

  Hello,
  We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks.  For some reason, the VPN tends to randomly disconnect any user clients connected a lot.  Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server.  We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem.  Sometimes users close out of VPN client completely, reopen several times and then it works.  However it's never really consistent enough and hasn't been the last few weeks.  No configuration changes have been made to ASA at all.  Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
  Directly below is our current running config (modded for public).  Any help or ideas would be greatly appreciated.  Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
  : Saved
  ASA Version 8.4(2)
  hostname domainasa
  domain-name adomain.local
  enable password cTfsR84pqF5Xohw. encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 205.101.1.240 255.255.255.248
  ftp mode passive
  clock timezone EST -5
  clock summer-time EDT recurring
  dns domain-lookup inside
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 192.168.2.60
  domain-name adomain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network SBS_2011
  host 192.168.2.60
  object network NETWORK_OBJ_192.168.2.0_24
  subnet 192.168.2.0 255.255.255.0
  object network NETWORK_OBJ_192.168.5.192_
  27
  subnet 192.168.5.192 255.255.255.224
  object network Https_Access
  host 192.168.2.90
  description Spam Hero
  object-group network DM_INLINE_NETWORK_1
  network-object object SPAM1
  network-object object SPAM2
  network-object object SPAM3
  network-object object SPAM4
  network-object object SPAM5
  network-object object SPAM6
  network-object object SPAM7
  network-object object SPAM8
  object-group service RDP tcp
  description Microsoft RDP
  port-object eq 3389
  access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
  access-list outside_access_in extended permit tcp any object SBS_2011 eq https
  access-list outside_access_in extended permit icmp any interface outside
  access-list outside_access_in remark External RDP Access
  access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
  access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
  ip local pool VPN_Users 192.168.5.194-192.168.5.22
  0 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
  NETWORK_OBJ_192.168.2.0_24
  destination static NETWORK_OBJ_192.168.5.192_
  27 NETWORK_OBJ_192.168.5.192_
  27 no-proxy-arp route-lookup
  object network obj_any
  nat (inside,outside) dynamic interface
  object network SBS_2011
  nat (inside,outside) static interface service tcp smtp smtp
  object network Https_Access
  nat (inside,outside) static interface service tcp https https
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-reco
  rd DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  http 192.168.1.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.2.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd address 192.168.2.160-192.168.2.19
  9 inside
  dhcpd dns 192.168.2.60 24.29.99.36 interface inside
  dhcpd wins 192.168.2.60 24.29.99.36 interface inside
  dhcpd domain adomain interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy domain internal
  group-policy domain attributes
  wins-server value 192.168.2.60
  dns-server value 192.168.2.60
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value domain_splitTunnelAcl
  default-domain value adomain.local
  username ben password zWCAaitV3CB.GA87 encrypted privilege 0
  username ben attributes
  vpn-group-policy domain
  username sdomain password FATqd4I1ZoqyQ/MN encrypted
  username sdomain attributes
  vpn-group-policy domain
  username adomain password V5.hvhZU4S8NwGg/ encrypted
  username adomain attributes
  vpn-group-policy domain
  service-type admin
  username jdomain password uODal3Mlensb8d.t encrypted privilege 0
  username jdomain attributes
  vpn-group-policy domain
  service-type admin
  tunnel-group domain type remote-access
  tunnel-group domain general-attributes
  address-pool VPN_Users
  default-group-policy domain
  tunnel-group domain ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:e2466a5b754
  eebcdb0cef
  f051bef91d
  9
  : end
  no asdm history enable
  Thanks again

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• Use Java version 6 update 7 and ASDM 7.1.3

    ASDM access to 5500 using Java was just a frustrating experience. If you manage only one device you may not notice the pain. But if you are managing multiple devices with some device 'forbidden' to update ASA firmware, it is very frustrating. I spend few days looking at the issue and came to a conclusion and decided to post to guide all newer VPN admins who will go through the same pain and hopefully we can reduce some combined wasted time. No thanks to Cisco. This is not a guide but a start point of a dicussion and all input are welcome.
    Recommended Beginning Setup for New Admin :
    Java Version 6 Update 7      
    ASDM 7.1(3)
    Reason for recommendation :
    a. There doesn't seem to be any recommendation to where to start your ASDM journey. So here. Start from here. Attached PDF is simple list of Java version and its release date. http://en.wikipedia.org/wiki/Java_version_history Version 6 Update 7 is unique in that it is the last version to support Win 9x. Why is that important? ASDM is written on Win 9x interface.
    b. It is a very old 2008 release. So why use such an old security cesspool of a product as a base? Security of newer version of Java isn't any better. Recommendation of Java use is to not use it. Java isn't secure. '.' But Cisco is insisting on using it. Shame on Cisco and this ASDM Java debacle is a shameful thing that Cisco even now can't careless.
    c. Attached is the list of release date of Java and Cisco products. ASDMS for FWSM range from 2007-2010, ASA 5500 and PIX 2007-2008, ASA 2010-2013. 2008 seems to fit quite nicely in the middle. Very scientific .
    Recommendation after gaining full access
    a. Update ASA and ASDM firmware to latest. ASDM 7.1.3 has same interface as much older ASDM. Kudos to Cisco on that.. 
    b. Write to US-CERT and CC Cisco to have them remove Java on their key platform. (Android too.. <- now, there's a joke!)

  UPDATE 2...
  ASDM ASA management platform has a major flaw. Different version require different version of Java JRE(Runtime Environment). One would think latest version should be backward compatible. It isn't so.
  So far Java Version 6 and Update 7 has been most compatible for my work. But NSP and other management console also require JRE and they unlike Cisco works well with the latest version but not with older version.
  Keeping and working with multiple version of JRE is a pain because JRE does not have proper control to support that automatically. One way to accomplish launching different version of JRE instead of default is use of command-line.
  In ASDM's shortcut icon properties, add version information in "target:". Find out JRE versions installed in your system under C:\Program Files (x86)\Java. Add option -version:"1.6.0_07" to specify which version to use. My example is JRE version 6 update 7.
  Original line :
  C:\Windows\SysWOW64\javaw.exe -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher
  Modified line :
  C:\Windows\SysWOW64\javaw.exe -version:"1.6.0_07" -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher
  http://docs.oracle.com/javase/6/docs/technotes/tools/windows/java.html
  #ASDM #JAVA #JRE

• CISCO ASA config issue (Remote management ASDM/SSH/etc)

  I cant ping the device from 10.23.1.x either, I can ping it on 10.23.2.x though. 

  I have a couple ASA devices than I want to be able to manage across our network. I have two devices, Device A-10.23.1.10 the other is on 10.23.2.10, if I remote into a machine on the 10.23.2.x network I can connect through SSH and ASDM, but on the 10.23.1.x network I can not connect.. I have the ASDM configured to accept connection from both netowkrs. any idea why it does not work, the remote ASA is on the local/inside netwkr just on a diff subnet.
  This topic first appeared in the Spiceworks Community

• CISCO ASA 5505 bandwidth Controll and split

  Dear All,
  Below am giving the infrastructure which i like to do please help me.
  I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
  in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
  i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
  each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
  after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
  Cisco Adaptive Security Appliance Software Version 7.2(4)
  Device Manager Version 5.2(4)
  Compiled on Sun 06-Apr-08 13:39 by builders
  System image file is "disk0:/asa724-k8.bin"
  so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.  
  Thanks 
  Lalu R.S

  There's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
  You can do some crude controls with QoS - the configuration guide chapter on doing that is here.

• Is ASA integration with ISE and RSA for 2 factor authentication a valid/tested design

  Hi,
  Customer currently uses ASA to directly integrate with RSA kind of solution to provide 2 factor authentication mechanism for VPN user access.  We're considering to introduce ISE to this picture, and to offload posture analysis from ASA to ISE.  And the flow we're thinking is to have ASA interface to ISE and ISE interface to RSA and AD backend infrastructure.  And we still need the 2 factor authentication to work, i.e., customer gets a SMS code in addition to its login username and password.  I'm wondering if ASA/ISE/RSA/AD integrated solution (and with 2 factor authentication to work) is a tested solution or Cisco validate design?  Any potential issue may break the flow?
  Thanks in advance for any input!
  Tina

  Hi,
  I have an update for this quite broad question.
  I have now came a bit further on the path.
  Now the needed Radius Access Attribute are available in ISE after adding them in
  "Policy Elements" -> "Dictionaris" -> "System" -> "Radius" -> "Cisco-VPN3000".
  I added both the attribute 146 Tunnel-Group-Name which I realy need to achive what I want(select diffrent OTP-backends depending on Tunnel Group in ASA) and the other new attribute 150 Client-Type which could be intresting to look at as well.
  Here the "Diagnostics Tools" -> "Generel tools" -> "TCP Dump" and Wireshare helped me understand how this worked.
  With that I could really see the attributes in the radius access requests going in to the ASA.
  Now looking at a request in "Radius Authentication details" I have
  Other Attributes:
  ConfigVersionId=29,Device Port=1025,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,CVPN3000/ASA/PIX7.x-Tunnel-Group-Name=SMHI-TG-RA-ISESMS,CVPN3000/ASA/PIX7.x-Client-Type=,CPMSessionID=ac100865000006294FD60A7F,.....
  Ok, the tunnel group name attribute seems to be understood correct, but Client-Type just say =, no value for that.
  That is strange, I must have defined that wrong(?), but lets leave that for now, I do not really need it for the moment being.
  So now when I have this Tunnel-Group-Name attribute available I want to use it in my Rule-Based Authentication Policy.
  Problem now is that as soon as I in an expression add a criteria containing Cisco-VPN3000:CVPN3000/ASA/PIX7.x-Tunnel-Group-Name matches .* (just anything), then that row does not match any more. It still work matching against NAS-IP and other attributes.
  What could it be I have missed?
  Best regards
  /Mattias

• HT203200 I made yearly subscription to Chandamama junior English and Telugu magazines which are released on monthly.  I could download for only 2months and cannot download any more.  Please help

  I have made yearly subscription to Chandamama junior english and Telugu magazines which are released monthly by publishers.  I could download for only 2months from itunes store and now cannot download any more.  No error message.  When I enter my itunes store password, it simply ignores.  Please help.

  Hi Charlotte,
  You don't say what your version of Windows you have. Assuming XP, go to Start | Run, type DXDIAG and click OK. Click the Sound tab and run the tests to eliminate a hardware problem first of all. If you don't hear anything, check your cables first of all. Also make sure "Mute" isn't checkmarked in your sound setup. You'll find that in Windows Control Panel.
  Which browser do you use? If you have Firefox 4, sign up to the HTML5 trial @ http://www.youtube.com/html5
  HTML5 is the latest video standard and doesn't require Flash player. Google is in the process of converting all its files to work with the new format. It may solve you problem. If you don't have Firefox 4, you can get it from here: http://www.mozilla.com/en-US/firefox/fx/
  IE8 doesn't support HTML5.
  To clean out your temp files, go to Start | Run, type: CLEANMGR and click OK. Click OK again to start the utility. Tick all the boxes except "Compress old files" because the latter takes too long, and then click OK. You can run this utility any time you wish by the way.
  The above steps will hopefully fix your problem. If not, post here again please.

• DHCP and Pointers for Addresses Not Released

  I was aksed to see if there could be anything to fix this:
  Our DHCP hands out new IPs within a 24 hour period.
  The Macs in our mixed environment ( 300 PCs, 52 Macs)
  will get assigned an IP Address, and then keep it for the day, and in the morning release and get a new one at boot.
  HOWEVER, according to the DHCP server, the IP address
  still "points" to the Mac, and thus the DHCP server
  thinks its in use.
  Our IS department is convinced its a Mac problem,
  and there has to be some way to make the Macs
  release address, and tell the server its released
  that address, so that the Server can re-assign
  the address down the line.
  I personally do not think so, I think it is something
  on the DHCP server's end, but I'm not sure.
  Any help on this or insight or general theorizing
  would be helpful. I have also posted this over in
  microsoft.public.windows.server.dns,
  if this post seems familiar....

  Backing up a bit - what is the actual problem leading
  to this investigation? A DHCP server keeps a database
  of pairings of IP addresses with MAC addresses (not
  Macintosh addresses). It should automatically prevent
  any MAC address from consuming more than one IP
  address.
  Most likely it is the fact that we have close to 400 total computers on site, and that we only have a limited available blocks
  of IP addresses ( ranges 10.0.0.x, 10.0.1.x, and 10.0.2.x), and although at any given time not all 400 total computers
  are on the network ( people out of house, some only go online
  when necessary for updates etc), the fact that the DNS pointers keep saying that, for instance that an imac
  on my desk is using 10.0.1.174, and that the DNS server is
  saying that it should also be 10.0.1.146 ( which it had yesterday) as well as 10.0.1.174, but since the DNS server thinks
  that 10.0.1.146 is still validily assigned, then it won't release this address, and thus on the PC side, they cannot
  get the address 10.0.1.146, hich then causes a shortage of addresses.
  I hope I explained that the best way possible; to me, it seems like it should be an easily fixed cache problem, if a cache exists for the DNS pointers, that it could be
  regualrly dumped?

• I need to create buttons in which the color changes, and stays on after you release the button

  I need to create buttons in which the color changes, and stays on after you release the button. The hard part is the buttons must change independently of each other.
  To get an idea of some of things I’ve tried I’ve tried making the movie with two frames.
  When I click the button it switched to the new frame which would show a movie clip,
  Unfortunately all buttons would change color together and don’t see how to make it so that they change independently.

  you must use movieclip buttons and code for their frame changes.

• HT1688 hello good afternoon I have a 3g iphone in mexico activodo with baseband 05.16.05 and my brother would be released without my permission I know I can do split that q is again a function

  hello good afternoon I have a 3g iphone in mexico activodo with baseband 05.16.05 and my brother would be released without my permission I know I can do split that q is again a function

  No idea what you are asking.

• Trouble with edit and develop after november 2013 release?

  Hi,
  I can not use edit and develop after release November 2013.
  I am a user from Sweden and wonder if it only hit European data center?
  The language has also changed from Swedish to English in the modules.
  I can not access the following in Site Settings:
  Admin users
  Mobile support
  Secure Domain redirect
  Beta features
  Does anyone have the same problem?
  Regards André

  Hi Florin
  There is no errors in the browser. I tested Chrome, Safari, Firefox.
  I sent a video to your colleague Silviu Ghimposanu (Adobe Business Catalyst Support)
  He can give you more information. I submit tickets. Ticketsnr 60092, 60085
  Maybe you can solve this together.
  Regards André
  20 nov 2013 kl. 12.17 skrev Florin Carlig:
  Re: Trouble with edit and develop after november 2013 release?
  created by Florin Carlig in Business Catalyst - View the full discussion
  Hi Andre,
  Can you please record a quick video with the errors you might have in your browser, in the browser's console?
  Here's what I want (a video I did in Chrome): http://screencasteu.worldsecuresystems.com/Florin/2013-11-20_1306.swf
  You can use Jing to record this kind of videos: http://www.techsmith.com/jing.html
  Thanks and regards,
  Florin
  Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/5857868#5857868
  Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: Re: Trouble with edit and develop after november 2013 release?
  To unsubscribe from this thread, please visit the message page at Re: Trouble with edit and develop after november 2013 release?. In the Actions box on the right, click the Stop Email Notifications link.
  Start a new discussion in Business Catalyst at Adobe Community
  For more information about maintaining your forum email notifications please go to http://forums.adobe.com/thread/416458?tstart=0.

• Favicon does not show up on Google chrome and firefox with new muse release. Opera showing favicon ok.

  Favicon does not show up on Google chrome and firefox with new muse release when exporting HTML or publishing with FTP. Opera showing favicon ok. Previews Muse release was working fine.
  this website was created with one update back BK Foto
  this one page was updated with latest updated Muse and after publishing with FTP through Muse favicon does not show up Paslaugų Era | Foto Video Paslaugos

  Export your HTML and then Just edit index.html with any text editor look for sentence <link rel="...................................>
  Then delete all this sentence and copy this one
  <link href="//PATH/favicon.ico" rel="shortcut icon" type="image/x-icon">
  PATH = Where you have your favicon.ico
  I usually copy the favicon.ico in the folder images so the sentence will be like this
  <link href="//mydomain.com/images/favicon.ico" rel="shortcut icon" type="image/x-icon">
  i hope it helps you
  Sorry about my english, my spanish is much better
  Juan Pedro Avila